I was excited that The Tor Browser Bundle was essentially Firefox and that it already cam with several useful extensions. I had put off using it because I didn't want to sacrifice things like NoScript, HTTPS Everywhere, Privacy Badger, Ad Block Plus, and a few other extensions.

However, much to my horror, the NoScript extension included with tbb was essentially turned off. I had to compare this to my default Firefox install and reset NoScript to actually be useful and actually block scripts by default.

Is there a reason(s) for NoScript being configured the way it is for tbb? I did a quick search but didn't find explanation(s), though I do find plenty of instructions on how to make NoScript "more secure" by essentially turning it on. I first started with a version 4.x of tbb, though I don't recall the version. I think I've been using tbb for 3 or 4 versions now.

At least part of the reason NoScript acts different is that tbb runs in FIrefox's private mode, so you have to go into NoScript and enable the permanent allow option if you want to permanently allow scripts on certain sites. Those few settings make it harder to use tbb as your daily driver browser IMO.

2 Answers
2

Why is NoScript configured to allow JavaScript by default in Tor Browser? Isn't that unsafe?
We configure NoScript to allow JavaScript by default in Tor Browser because many websites will not work with JavaScript disabled. Most users would give up on Tor entirely if a website they want to use requires JavaScript, because they would not know how to allow a website to use JavaScript (or that enabling JavaScript might make a website work).

There's a tradeoff here. On the one hand, we should leave JavaScript enabled by default so websites work the way users expect. On the other hand, we should disable JavaScript by default to better protect against browser vulnerabilities ( not just a theoretical concern!). But there's a third issue: websites can easily determine whether you have allowed JavaScript for them, and if you disable JavaScript by default but then allow a few websites to run scripts (the way most people use NoScript), then your choice of whitelisted websites acts as a sort of cookie that makes you recognizable (and distinguishable), thus harming your anonymity.

Ultimately, we want the default Tor bundles to use a combination of firewalls (like the iptables rules in Tails) and sandboxes to make JavaScript not so scary. In the shorter term, TBB 3.0 will hopefully allow users to choose their JavaScript settings more easily — but the partitioning concern will remain.

Until we get there, feel free to leave JavaScript on or off depending on your security, anonymity, and usability priorities.

The default slider value is set to provide the most 'usable' user experience. If you want to feel safer, first examine what are the risks and as said before, make the changes in your Tor Browser (Forbid Scripts Globally via NoScript and make the Torbutton slider to the highest value).
– thelierJul 19 '15 at 19:59